Common  Criteria 


ARRANGEMENT 

on  the 

Recognition  of  Common  Criteria  Certificates 

In  the  field  of 

Information  Technology  Security 


May  2000 


Report  Documentation  Page 


Report  Date 

Report  Type 

Dates  Covered  (from...  to) 

01052000 

N/A 

- 

Title  and  Subtitle 

Arrangement  on  the  Recognition  of  Common  Criteria 
Certificates  In  the  Field  of  Information  Technology 
Security 

Author(s) 


Performing  Organization  Name(s)  and  Address(es) 

Booz  Allen  &  Hamilton  8283  Greensboro  Drive 
McLean,  VA  22102 

Sponsoring/Monitoring  Agency  Name(s)  and 
Address(es) 

The  Common  Criteria 

Distribution/Availability  Statement 

Approved  for  public  release,  distribution  unlimited 

Supplementary  Notes 

The  original  document  contains  color  images. 

Abstract 


Subject  Terms 
lATAC  COLLECTION 


Report  Classification 

unclassified 

Classification  of  this  page 

unclassified 

Classification  of  Abstract 

unclassified 

Limitation  of  Abstract 

UU 

Number  of  Pages 

40 


Contract  Number 
Grant  Number 
Program  Element  Number 
Project  Number 
Task  Number 
Work  Unit  Number 

Performing  Organization  Report  Number 

Sponsor/Monitor’s  Acronym(s) 
Sponsor/Monitor’s  Report  Number(s) 


REPORT  DOCUMENTATION  PAGE 


Form  Approved 
OMB  No.  074-0188 


Public  reporting  burden  for  this  collection  of  information  is  estimated  to  average  1  hour  per  response,  including  the  time  for  reviewing  instructions,  searching  existing  data  sources,  gathering  and  maintaining  the  data 
needed,  and  completing  and  reviewing  this  collection  of  information.  Send  comments  regarding  this  burden  estimate  or  any  other  aspect  of  this  collection  of  information,  including  suggestions  for  reducing  this  burden  to 
Washington  Headquarters  Services,  Directorate  for  Information  Operations  and  Reports,  1215  Jefferson  Davis  Highway,  Suite  1204,  Arlington,  VA  22202-4302,  and  to  the  Office  of  Management  and  Budget,  Paperwork 
Reduction  Project  (0704-0188),  Washington,  DC  20503 


1 .  AGENCY  USE  ONLY  (Leave  2.  REPORT  DATE  3.  REPORT  TYPE  AND  DATES  COVERED 

blank)  5/1/2000  Report  5/1/2000 


4.  TITLE  AND  SUBTITLE 

Arrangement  on  the  Recognition  of  Common  Criteria 
Certificates  In  the  Field  of  Information  Technology 
Security 


6.  AUTHOR(S) 

The  Common  Criteria 


7.  PERFORMING  ORGANIZATION  NAME(S)  AND  ADDRESS(ES) 

Booz  Allen  &  Hamilton 
8283  Greensboro  Drive 
McLean,  VA  22102 


8.  PERFORMING  ORGANIZATION 
REPORT  NUMBER 


9.  SPONSORING  /  MONITORING  AGENCY  NAME(S)  AND  ADDRESS(ES) 

The  Common  Criteria 


10.  SPONSORING  /  MONITORING 
AGENCY  REPORT  NUMBER 


12a.  DISTRIBUTION  /  AVAILABILITY  STATEMENT 

Approved  for  public  release;  distribution  is  unlimited 


12b.  DISTRIBUTION  CODE 


13.  ABSTRACT  (Maximum  200  Words) 

The  purpose  of  this  Arrangement  is  to  advance  those  objectives  by  bringing  about  a 
situation  in  which  IT  products  and  protection  profiles  which  earn  a  Common  Criteria 
certificate  can  be  procured  or  used  without  the  need  for  further  evaluation.  It  seeks  to 
provide  grounds  for  confidence  in  the  reliability  of  the  judgements  on  which  the  original 
certificate  was  based  by  requiring  that  a  Certification/Validation  Body  (CB)  issuing  Common 
Criteria  certificates  should  meet  high  and  consistent  standards. 


14.  SUBJECT  TERMS 

lATAC  Collection,  information  security.  Common  Criteria 


15.  NUMBER  OF  PAGES 

39 


17.  SECURITY  CLASSIFICATION  18.  SECURITY  CLASSIFICATION  19.  SECURITY  CLASSIFICATION 
OF  REPORT  OF  THIS  PAGE  OF  ABSTRACT 

UNCLASSIFIED  UNCLASSIFIED  UNCLASSIFIED 


16.  PRICE  CODE 


20.  LIMITATION  OF  ABSTRACT 


UNLIMITED 


NSN  7540-01-280-5500 


Standard  Form  298  (Rev.  2-89) 

Prescribed  by  ANSI  Std.  Z39-18 
298-102 


The  Participants 


Defence  Signals  Directorate  and  Government  Communication  Security  Bureau 

from  Australia  and  New  Zealand 

and 

Communications  Security  Establishment 

from  Canada 

and 

Ministry  of  Finance 

from  Finland 

and 

Service  Central  de  la  Securite  des  Systemes  d'lnformation 

from  France 

and 

Bundesamt  fUr  Sicherheit  in  der  Informationstechnik 

from  Germany 

and 

Ministry  of  Interior 

from  Greece 

and 

Presidenza  del  Consiglio  dei  Ministri 
Autorita  Nazionale  per  la  Sicurezza 
CESIS  III  Reparto  -  UCSi 

from  Italy 

and 

Ministry  of  the  Interior  and  Kingdom  Relations 

from  The  Netherlands 

and 


Page  2  of  39 


HQ  Defence  Command  Norway/Security  Division 

from  Norway 

and 

Ministerio  de  Administraciones  Publicas 

from  Spain 

and 

Communications-Electronics  Security  Group 
Department  of  Trade  and  Industry 

from  the  United  Kingdom 

and 

National  Institute  of  Standards  and  Technology 
National  Security  Agency 

from  the  United  States  of  America 


PLAN  TO  COOPERATE  IN  THE  FOLLOWING  MANNER, 


Page  3  of  39 


Preamble 


Purpose  of  the  Arrangement 

The  Participants  in  this  Arrangement  share  the  foiiowing  objectives: 

a)  to  ensure  that  evaluations  of  Information  Technology  (IT)  products  and  protection  profiles  are 
performed  to  high  and  consistent  standards,  and  are  seen  to  contribute  significantiy  to 
confidence  in  the  security  of  those  products  and  profiies; 

b)  to  improve  the  avaiiabiiity  of  evaiuated,  security-enhanced  IT  products  and  protection  profiies; 

c)  to  eiiminate  the  burden  of  dupiicating  evaiuations  of  IT  products  and  protection  profiies; 

d)  to  continuousiy  improve  the  efficiency  and  cost-effectiveness  of  the  evaiuation  and 
certification/validation^  process  for  IT  products  and  protection  profiies. 

The  purpose  of  this  Arrangement  is  to  advance  those  objectives  by  bringing  about  a  situation  in 
which  IT  products  and  protection  profiies  which  earn  a  Common  Criteria  certificate  can  be 
procured  or  used  without  the  need  for  further  evaiuation.  It  seeks  to  provide  grounds  for 
confidence  in  the  reiiabiiity  of  the  judgements  on  which  the  originai  certificate  was  based  by 
requiring  that  a  Certification/Validation  Body  (CB)  issuing  Common  Criteria  certificates  shouid 
meet  high  and  consistent  standards. 

It  is  iikeiy  that  some  sensitive  government  systems  wiii  be  procured,  certified  and  recognised 
according  to  separate  biiaterai  or  muitiiaterai  agreements.  This  Arrangement  does  not  constrain 
such  agreements.  In  particular,  the  exceptions  described  in  Article  3  do  not  apply  to  any  such 
separately  negotiated  agreements. 

It  is  accepted  that  both  governmental  and  non-governmental  CBs  are  potentially  capable  of 
performing  trustworthy  certification/validation,  and  that  provision  should  be  made  for  both  types  of 
organisation.  However  recognising  certificates  issued  in  other  nations  involves  decisions  and 
commitments  that  are  specific  to  government.  The  functions  of  issuing  and  recognising 
certificates  have  therefore  been  distinguished  in  this  Arrangement. 

Spirit  of  the  Arrangement 

The  complexity  of  information  systems  is  such  that  even  the  most  carefully  written  security 
evaluation  criteria  and  evaluation  methodology  cannot  cover  every  eventuality.  In  many  cases  the 
application  of  the  criteria  will  call  for  expert  professional  judgement,  as  will  the  oversight  of  their 
application.  In  exercising  such  judgement,  the  Participants  will  endeavour  to  use  the  level  of 
assurance  in  the  IT  product  under  evaluation  as  their  metric.  The  Participants  in  the  Arrangement 
therefore  plan  to  develop  and  maintain  mutual  understanding  and  trust  in  each  other’s  technical 
judgement  and  competence,  and  to  maintain  general  consistency  through  open  discussion  and 
debate. 

The  Participants  will  endeavour  to  work  actively  to  improve  the  application  of  the  criteria  and 
methodology,  for  example  by  developing  and  establishing  more  cost-effective  assurance 
packages,  and  by  identifying  and  discarding  those  requirements  that  do  not  make  a  significant 
contribution  to  assurance.  The  Participants  also  plan  to  advance  the  economical  reuse  of 
evaluation  output,  for  example,  by  encouraging  sponsors  of  evaluations  to  provide  such 
information  to  interested  parties. 


'  Certain  Schemes  may  choose  to  employ  the  term  validation  instead  of  certification.  For  the  purposes  of  this  recognition 
arrangement,  the  terms  are  deemed  to  be  equivalent  in  their  meaning  and  intended  purpose  as  reflected  in  the  Glossary 
at  Annex  A. 
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Article  1 


Membership 

Participants  in  this  Arrangement  are  government  organisations  or  government  agencies, 
representing  their  country  or  countries.  Participants  may  be  producers  of  evaiuation  certificates, 
consumers  of  evaiuation  certificates,  or  both.  Certificate  consuming  Participants,  aithough  they 
may  not  maintain  an  IT  security  evaiuation  capabiiity,  nevertheiess  have  an  expressed  interest  in 
the  use  of  certified/vaiidated  products  and  protection  profiies.  Certificate  authorising  Participants 
are  the  Sponsors  of  compiiant  CBs  (described  in  Articie  5)  operating  in  their  own  country  or 
countries  and  authorise  their  certificates.  Certificate  authorising  Participants  whose  organisations 
command  the  resources  and  expertise  of  a  compiiant  CB  are  defined  as  Quaiified  Participants. 


Article  2 

Scope 

It  is  mutuaiiy  understood  that,  in  respect  of  IT  products  and  protection  profiies,  the  Participants 
pian  to  recognise  the  Common  Criteria  certificates  which  have  been  authorised  by  any  other 
certificate  authorising  Participant  in  accordance  with  the  terms  of  this  Arrangement  and  in 
accordance  with  the  appiicabie  iaws  and  reguiations  of  each  Participant.  This  Arrangement 
covers  ciaims  of  compiiance  against  any  of  the  Common  Criteria  assurance  components  required 
for  Evaiuation  Assurance  Leveis  1  through  4.  Extension  of  the  scope  may  be  agreed  by  the 
Participants  in  this  Arrangement  at  any  time,  in  accordance  with  the  provisions  of  Articie  14,  by 
adding  other  assurance  ieveis  or  components. 


Article  3 

Exceptions 

If  to  recognise  a  Common  Criteria  certificate  wouid  cause  a  Participant  to  act  in  a  manner 
inconsistent  with  appiicabie  nationai,  internationai  or  European  Community  iaw  or  reguiation,  that 
Participant  may  deciine  to  recognise  such  a  certificate.  In  particular,  in  cases  where  an  IT  product 
or  a  protection  profile  is  being  considered  for  an  application  which  involves  the  protection  of 
information  attracting  a  security  ciassification  or  equivalent  protective  marking  required  or 
authorised  under  the  provisions  of  national  law,  subsidiary  legislation,  administrative  regulation  or 
official  obligation.  Participants  may  decline,  in  respect  of  that  application  only,  to  recognise  a 
certificate. 


Article  4 

Definitions 

Terms  crucial  to  the  meaning  of  this  Arrangement  or  which  are  used  in  a  sense  peculiar  to  this 
Arrangement  are  defined  in  a  Glossary  at  Annex  A  of  this  Arrangement.  Such  terms  appear  in 
italic  type  on  their  first  appearance  in  the  text  of  this  Arrangement. 
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Article  5 


Conditions  for  Recognition 

Except  as  otherwise  provided  in  this  Arrangement,  each  Participant  shouid  recognise  appiicabie 
Common  Criteria  certificates  authorised  by  any  certificate  authorising  Participant.  Such 
authorisation  confirms  that  the  evaiuation  and  certification/vaiidation  processes  have  been  carried 
out  in  a  duiy  professionai  manner 

a.  on  the  basis  of  accepted  IT  security  evaiuation  criteria, 

b.  using  accepted  IT  security  evaluation  methods, 

c.  in  the  context  of  an  Evaluation  and  Certification/Validation  Scheme  managed  by  a 
compliant  CB  in  the  authorising  Participant's  country, 

d.  and  that  the  Common  Criteria  certificates  authorised  and  Certification/Validation  Reports 
issued  satisfy  the  objectives  of  this  Arrangement. 

Certificates  which  meet  aii  these  conditions  are  equivaient  for  the  purposes  of  this  Arrangement. 

The  IT  security  evaiuation  criteria  are  to  be  those  iaid  down  in  the  Common  Criteria  for 
Information  Technoiogy  Security  Evaiuation  (CC),  the  version  endorsed  by  the  Management 
Committee  and  the  evaiuation  methods  are  to  be  those  iaid  down  in  the  Common  Methodoiogy 
for  Information  Technoiogy  Security  Evaiuation  (CM),  the  version  endorsed  by  the  Management 
Committee.  The  minimum  requirements  for  Certification/Vaiidation  Reports  are  iaid  down  in 
Annex  I  to  this  Arrangement.  The  minimum  requirements  for  an  Evaiuation  and  Certification/ 
Vaiidation  Scheme  are  iaid  down  in  Annex  B  to  this  Arrangement.  An  evaiuation  and  certification/ 
vaiidation  is  deemed  to  have  been  carried  out  in  a  duiy  professionai  manner  if,  as  a  minimum: 

a)  the  Evaluation  Facility 

either  has  been  accredited  in  its  respective  country  by  a  recognised  Accreditation 
Body  in  accordance  with  EN  45001  or  ISO  Guide  25  or  in  accordance  with  an 
interpretation  thereof  approved  by  aii  Participants  and  has  been  licensed  or  approved 
in  accordance  with  Annex  B.3, 

or  has  been  estabiished  under  the  iaws,  statutory  instruments,  or  other  officiai 
administrative  procedures  vaiid  in  the  country  concerned  and  meets  the  requirements 
iaid  down  in  Annex  B.3  to  this  Arrangement; 

and, 

b)  the  CB  is  accepted  as  compiiant,  and 

either  has  been  accredited  in  its  respective  country  by  a  recognised  Accreditation 
Body  either  in  accordance  with  EN  45011  or  ISO  Guide  65  or  in  accordance  with  a 
nationai  interpretation  of  EN  4501 1  or  ISO  Guide  65  which  at  minimum  satisfies  the 
requirements  as  specified  in  Annex  C  of  this  Arrangement, 

or  has  been  estabiished  under  iaws,  statutory  instruments,  or  other  officiai 
administrative  procedures  vaiid  in  the  country  concerned  and  meets  the  requirements 
of  EN  4501 1  or  ISO  Guide  65  or  the  requirements  iaid  down  in  Annex  C  of  this 
Arrangement. 

In  order  to  assist  the  consistent  appiication  of  the  Common  Criteria  and  Common  Methodoiogy 
between  Evaiuation  and  Certification/Vaiidation  Schemes,  the  Participants  pian  to  work  towards  a 
uniform  interpretation  of  the  currentiy  appiicabie  Common  Criteria  and  Common  Methodoiogy.  In 


Page  6  of  39 


pursuit  of  this  goai,  the  Participants  aiso  pian  to  conduct  reguiar  exchanges  of  information  on 
interpretations  and  discussions  necessary  to  resoive  differences  of  interpretation.  In  further  aid  to 
the  goai  of  consistent,  credibie  and  competent  appiication  of  the  Common  Criteria  and  Common 
Methodoiogy,  the  CB  shouid  undertake  the  responsibiiity  for  the  monitoring  of  aii  evaiuations  in 
progress  within  the  Scheme  at  an  appropriate  ievei,  and  carrying  out  other  procedures  to  ensure 
that  aii  IT  Security  Evaiuation  Faciiities  affiiiated  with  the  CB: 

a)  perform  evaiuations  impartiaiiy; 

b)  appiy  the  Common  Criteria  and  Common  Methodoiogy  correctiy  and  consistentiy;  and 

c)  adequateiy  protect  the  confidentiaiity  of  protected  information. 


Article  6 

Voluntary  Periodic  Assessments 

Assessment  of  compiiant  CBs  shouid  take  piace  at  intervais  of  approximateiy,  but  no  more  than 
five  years,  for  the  purpose  of  assuring  that  they  continue  to  share  the  objectives  of  this 
Arrangement  and  wiii  endeavour  to  advance  the  objectives  of  this  Arrangement.  The  form  of  such 
assessments  is  set  out  in  Annex  D  to  this  Arrangement. 


Article  7 

Publications 

Common  Criteria  certificates  authorised  by  certificate  authorising  Participants  shouid  bear 
prominentiy,  in  addition  to  any  iogo  or  distinguishing  device  pecuiiar  to  the  Participant  or  its 
Evaiuation  and  Certification/  Vaiidation  Scheme,  the  mark  of  the  Recognition  Arrangement  and  a 
standard  form  of  words.  The  mark  and  the  form  of  words  are  given  in  Annex  E  and  Annex  J  to 
this  Arrangement. 

Each  certificate  authorising  Participant  shouid  pubiish,  in  a  section  of  its  Certified/Vaiidated 
Products  List  or  as  otherwise  arranged,  brief  particuiars  of  aii  IT  products  and  protection  profiies 
having  certificates  authorised  by  another  certificate  authorising  Participant,  uniess  there  is  a 
reason  not  to  do  so  under  this  Arrangement  inciuding  but  not  iimited  to  the  reasons  set  forth  in 
Articie  3  of  this  Arrangement. 


Article  8 

Sharing  of  Information 

To  the  extent  disclosure  of  information  is  consistent  with  a  Participant's  national  laws  or 
regulations,  each  Participant  should  endeavour  to  make  available  to  other  Participants  all 
information  and  documentation  relevant  to  the  application  of  this  Arrangement. 

In  meeting  this  obligation,  the  commercial  secrets  or  protected  information  of  third  parties  may  be 
disclosed  by  an  Information  Technology  Security  Evaluation  Facility,  CB,  or  Participant  only  if 
prior  agreement  has  been  obtained  in  writing  from  the  third  party  concerned. 
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In  particular,  each  Participant  should  promptly  provide  information  on  prospective  changes  which 
might  affect  its  ability  to  meet  the  conditions  for  recognition  or  which  might  otherwise  frustrate  the 
operation  or  intention  of  this  Arrangement. 

The  nature  and  scope  of  the  information  and  documentation  that  Participants  are  expected  to 
share  are  more  fully  described  in  Annex  F  to  this  Arrangement. 


Article  9 

New  Participants 


Participants 

Participation  in  this  Arrangement  is  open  to  representatives  from  countries  that  plan  to  uphold  the 
principles  of  the  Arrangement,  subject  to  the  unanimous  consent  of  the  existing  Participants. 

Certification/Validation  Bodies 

A  CB  may  be  determined  to  be  compliant  for  the  purpose  of  Article  5  of  this  Arrangement  upon 
unanimous  consent  of  the  existing  Participants,  if  the  existing  Participants  are  confident  that  it  can 
fulfil  the  conditions  for  recognition  set  out  in  Article  5  of  this  Arrangement  and  Annexes  cited  in 
Article  5,  and  that  it  satisfies  the  conditions  for  compliance,  according  to  the  procedures  laid  down 
in  Annex  G  of  this  Arrangement,  including  shadow  certification/validation. 


Article  10 

Administration  of  this  Arrangement 

A  Management  Committee  should  administer  this  Arrangement.  The  Management  Committee 
should  meet  as  often  as  required  to  consider  matters  affecting  the  status,  terms  or  application  of 
this  Arrangement.  All  Participants  should  be  represented  on  the  Management  Committee.  The 
procedures  and  principal  responsibilities  of  the  Management  Committee  are  set  forth  in  Annex  H 
to  this  Arrangement. 


Article  11 

Disagreements 

Disagreements  between  the  Participants  should  be  resolved  through  discussions.  Participants 
should  make  every  effort  to  resolve  disagreements  between  themselves  by  negotiation.  Failing 
this,  disagreements  should  in  the  first  instance,  be  referred  to  the  Management  Committee.  The 
Management  Committee  is  expected  to  document  its  findings  in  the  disagreement.  If  the 
disagreement  cannot  be  resolved  by  discussion  or  negotiation,  individual  Participants  may 
choose  not  to  recognise  affected  Common  Criteria  certificates  and  notify  the  Management 
Committee  of  such  non-recognition. 
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Article  12 


Use  of  Contractors 

Where  Participants  propose  to  involve  contractors  in  the  implementation  and  operation  of  this 
Arrangement,  particularly  the  procedures  set  out  in  Annex  D  or  in  Annex  G.3  or  G.4  or  Annex  H 
of  this  Arrangement,  they  should  ensure  that  these  contractors  have  appropriate  expertise  and 
should  notify  the  other  Participants.  Protected  information  should  be  passed  to  contractors  only 
with  the  agreement  of  the  originator,  as  laid  down  in  Annex  F.4. 


Article  13 

Costs  of  this  Arrangement 

Except  as  specified  otherwise  elsewhere  in  this  Arrangement,  each  Participant  is  expected  to 
meet  all  its  own  costs  arising  through  its  participation  in  this  Arrangement. 


Article  14 

Revision 

Any  modification  of  the  terms  of  this  Arrangement  will  require  the  unanimous  agreement  of  the 
Participants.  Any  adopted  modification  should  be  recorded  in  a  written  document  signed  by  all  the 
Participants. 


Article  15 

Duration 

Cooperation  under  this  Arrangement  is  expected  to  continue  unless  the  Participants  decide 
unanimously  to  end  it. 


Article  16 

Voluntary  Termination  of  Participation 

Any  Participant  may  terminate  its  participation  in  this  Arrangement,  or  terminate  the  compliant 
status  of  any  CB  that  it  represents,  by  notifying  the  other  Participants  in  writing. 


Article  17 

Commencement 

Activities  under  this  Arrangement  will  commence  on  23  May  2000. 
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Article  18 


Effect  of  this  Arrangement 

It  is  recognised  and  accepted  by  each  of  the  Participants  that  this  Arrangement  does  not  create 
any  substantive  or  procedurai  rights,  iiabiiities  or  obiigations  that  couid  be  invoked  by  persons 
who  are  not  signatories  to  this  Arrangement.  Additionaiiy,  it  is  recognised  and  accepted  by  each 
of  the  Participants  that  this  Arrangement  has  no  binding  effect  in  nationai,  internationai  or 
European  Community  iaw  on  any  or  aii  of  them,  and  that  they  wiii  not  attempt  to  enforce  this 
Arrangement  in  any  domestic  or  internationai  court  or  tribunai.  Reports  issued  by  a  CB  or 
Common  Criteria  certificates  authorised  by  a  Participant  do  not  constitute  endorsement,  warranty 
or  guarantee  by  that  Certification/Vaiidation  Body  or  Participant,  respectiveiy,  of  IT  products  or 
protection  profiies;  nor  does  recognition  of  Common  Criteria  certificates  authorised  as  a  resuit  of 
certification/vaiidation  activities  constitute  the  endorsement,  warranty,  or  guarantee  in  any  way  of 
Certification/Vaiidation  Reports  issued  by  another  CB  or  resuiting  certificates  authorised  by 
another  Participant,  respectiveiy. 


Page  10  of  39 


Annex  A 


Glossary 


This  glossary  contains  definitions  of  certain  terms  in  the  text  or  Annexes  of  this  Arrangement 
which  are  used  in  a  sense  peculiar  to  this  Arrangement  or  which  have  a  meaning  crucial  to  the 
interpretation  of  this  Arrangement.  It  also  contains  definitions  of  certain  other  terms  used  in  this 
Annex.  Where  the  definitions  in  this  Annex  differ  from  definitions  of  the  same  terms  given  in  CC 
or  CM,  the  definitions  in  this  Annex  are  to  be  used  in  establishing  the  intended  meaning  of  this 
Arrangement.  Such  definitions  are  broadly  consistent  with  those  given  in  CC  and  CM,  which 
remain  generally  valid.  The  differences  are  in  the  interest  of  greater  clarity  in  the  specific  context 
of  this  Arrangement.  Terms  used  in  definitions  which  are  themselves  defined  elsewhere  in  the 
Glossary  appear  in  italic  type. 

Accredited: 

Formally  confirmed  by  an  Accreditation  Body  as  meeting  a  predetermined  standard  of  impartiality 
and  general  technical,  methodological  and  procedural  competence. 

Accreditation  Body: 

An  independent  organisation  responsible  for  assessing  the  performance  of  other  organisations 
against  a  recognised  standard,  and  for  formally  confirming  the  status  of  those  that  meet  the 
standard. 

Approved: 

See  iicensed. 

Approvai  Poiicy: 

See  iicensing  poiicy. 

Assessment  of  compiiant  CBs: 

A  procedure  for  establishing  that  the  evaiuations  and  certifications/vaiidations  carried  out  by  a 
particular  compiiant  C6  continue  to  be  as  set  out  in  this  Arrangement. 

Authorisation: 

The  sanction  by  a  Participant  of  the  issuing  of  a  Common  Criteria  certificate  by  a  compiiant  CB, 
permitting  the  use  of  the  CC  certification  mark. 

CB: 

Certification/Vaiidation  Body. 

Associated  CB: 

The  compiiant  CB  associated  with  a  Quaiified  Participant. 

Compiiant  CB: 

A  CB  that  is  listed  as  compliant  in  Annex  K. 
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CC: 

Common  Criteria  for  Information  Technoiogy  Security  Evaiuation,  the  titie  of  a  document 
describing  a  particuiar  set  of  IT  security  evaluation  criteria  (version  2.01  is  identicai  to  ISO-IEC- 
15408). 

Certification/Validation: 

The  process  carried  out  by  a  CB  ieading  to  the  issuing  of  a  Common  Criteria  certificate. 

Certification/Validation  Body: 

An  organisation  responsibie  for  carrying  out  certification/validation  and  for  overseeing  the  day-to- 
day  operation  of  an  Evaluation  and  CertificationA/alidation  Scheme. 

Certification/Validation  Report: 

A  pubiic  document  issued  by  a  CB  which  summarises  the  resuits  of  an  evaiuation  and  confirms 
the  overaii  resuits,  i.e.  that  the  evaiuation  has  been  properiy  carried  out,  that  the  evaluation 
criteria,  evaluation  methods  and  other  procedures  have  been  correctiy  appiied  and  that  the 
conciusions  of  the  Evaluation  Technical  Report  are  consistent  with  the  evidence  adduced. 

Certified/Validated  Products  List: 

A  pubiic  document  giving  brief  particuiars  of  currentiy  vaiid  Common  Criteria  certificates  in 
accordance  with  this  Arrangement. 

Client: 

A  party  in  contract  with  an  ITSEFtor  an  evaiuation. 

CM: 

Common  Methodoiogy  for  Information  Technoiogy  Security  Evaiuation,  the  titie  of  a  technicai 
document  which  describes  a  particuiar  set  of  IT  security  evaluation  methods. 

Common  Criteria  Certificate: 

A  pubiic  document  issued  by  a  compliant  CB  and  authorised  by  a  Participant  which  confirms  that 
a  specific  IT  product  or  protection  profile  has  successfuiiy  compieted  evaluation  by  an  ITSEF.  A 
Common  Criteria  certificate  aiways  has  associated  with  it  a  Certification/Validation  Report. 

Evaluation: 

The  assessment  of  an  IT  product  or  a  protection  profile  against  the  Common  Criteria  using 
Common  Methodology  to  determine  whether  or  not  the  ciaims  made  are  justified. 

Evaluation  and  Certification/Validation  Scheme: 

The  systematic  organisation  of  the  functions  of  evaluation  and  certification/validation  under  the 
authority  of  a  CB  in  order  to  ensure  that  high  standards  of  competence  and  impartiaiity  are 
maintained  and  that  consistency  is  achieved. 
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Evaluation  Facility: 

An  organisation  which  carries  out  evaluations,  independentiy  of  the  deveiopers  of  the  IT  products 
or  protection  profiles  evaiuated  and  usuaiiy  on  a  commerciai  basis. 

Evaluation  methods: 

See  IT  security  evaluation  methods. 

Evaluation  Technical  Report: 

A  report  giving  detaiis  of  the  findings  of  an  evaluation,  submitted  by  the  Evaluation  Facility  to  the 
C6  as  the  principai  basis  for  the  Certification/Validation  Report. 

Interpretation: 

Expert  technicai  judgement,  when  required,  regarding  the  meaning  or  method  of  appiication  of 
any  technicai  aspect  of  the  criteria  or  the  methodoiogy. 

IT  product: 

A  package  of  IT  software  or  hardware,  providing  functionaiity  designed  for  use  or  incorporation 
within  a  muitipiicity  of  systems. 

IT  security  evaluation  criteria: 

A  compiiation  of  the  information  which  needs  to  be  provided  and  of  the  actions  which  need  to  be 
taken  in  order  to  give  grounds  for  confidence  that  evaluations  wiii  be  carried  out  effectiveiy  and  to 
a  consistent  standard  throughout  an  Evaluation  and  Certification/Validation  Scheme. 

IT  security  evaluation  methods: 

A  compiiation  of  the  methods  which  need  to  be  used  by  Evaiuation  Faciiities  in  appiying  IT 
security  evaluation  criteria  in  order  to  give  grounds  for  confidence  that  evaluations  wiii  be  carried 
out  effectiveiy  and  to  a  consistent  standard  throughout  an  Evaluation  and  Certification/Validation 
Scheme. 

ITSEF: 

IT  Security  Evaiuation  Faciiity,  an  accredited  Evaluation  Facility,  licensed  or  approved  to  perform 
evaluations  within  the  context  of  a  particuiar  IT  Security  Evaluation  and  Certification/Validation 
Scheme. 

Licensed: 

Assessed  by  a  CB  as  technicaiiy  competent  in  the  specific  fieid  of  IT  security  evaluation  and 
formaiiy  authorised  to  carry  out  evaluations  within  the  context  of  a  particuiar  Evaluation  and 
Certification/Validation  Scheme. 

Licensing  policy: 

A  part  of  the  essentiai  documentation  of  every  Evaluation  and  Certification/Validation  Scheme, 
setting  out  the  procedures  for  making  an  appiication  to  be  iicensed  or  approved  and  for  the 
processing  of  such  appiications  and  of  the  training  and  security  requirements  which  an  appiicant 
must  fulfii  in  order  to  quaiify. 
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Management  Committee: 

The  body,  on  which  all  Participants  are  represented,  which  endeavours  to  ensure  the  operation  of 
this  Arrangement  in  accordance  with  its  rules. 

Monitoring  of  evaiuations: 

The  procedure  by  which  representatives  of  a  CB  observe  evaiuations  in  progress  or  review 
completed  evaiuations  in  order  to  satisfy  themselves  that  an  ITSEF  ls  carrying  out  its  functions  in 
a  proper  and  professional  manner. 

Originating  party: 

The  source,  e.g.,  an  IT  product  or  protection  profile  developer,  ITSEF,  or  Participant,  producing 
protected  information  associated  with  an  IT  security  evaluation  or  certification/validation. 

Participant: 

A  signatory  to  this  Arrangement. 

Certificate  Consuming  Participant: 

A  Participant  with  a  national  interest  in  recognising  Common  Criteria  certificates. 

Certificate  Authorising  Participant: 

A  Participant  representing  one  or  more  compliant  CBs. 

Quaiified  Participant: 

A  Participant  that  is  also  a  compliant  CB  (or  that  commands  the  resources  and  expertise 
of  a  compliant  CB  sufficiently  for  it  to  provide  technical  experts  to  undertake  shadow 
certification/validation).  The  CB  is  the  associated  CB  of  the  Qualified  Participant. 

Protected  information: 

Information  gathered  or  obtained  under  the  processes  or  activities  in  this  Arrangement  whose 
unauthorised  disclosure  could  reasonably  be  expected  to  cause  (i)  harm  to  competitive 
commercial  or  proprietary  interests,  (ii)  a  clearly  unwarranted  invasion  of  personal  privacy,  (iii) 
damage  to  the  national  security,  or  (iv)  otherwise  cause  harm  to  an  interest  protected  by  national 
law,  subsidiary  legislation,  administrative  regulation  or  official  obligation. 

Protection  profile: 

A  formal  document  defined  in  CC,  expressing  an  implementation  independent  set  of  security 
requirements  for  a  category  of  IT  products  that  meet  specific  consumer  needs. 

Protective  marking: 

Alternative  name  for  security  classification,  now  officially  used  in  the  United  Kingdom. 
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Recognition  of  Common  Criteria  certificates: 

Acknowledgement  by  Participants  that  the  evaiuation  and  certification  processes  carried  out  by 
compliant  CBs  appear  to  have  been  carried  out  in  a  duiy  professionai  manner  and  meet  aii  the 
conditions  of  this  Arrangement,  and  the  intention  to  give  aii  resuiting  CC  certificates  equai  weight. 

Recognise: 

See  Recognition  of  Common  Criteria  certificates. 

Security  ciassification: 

A  marking  appiied  to  protected  information  in  order  to  indicate  minimum  standards  of  protection 
which  need  to  be  appiied  in  the  nationai  interest. 

Shadow  certification/vaiidation: 

Assessment  of  a  CB  in  which  representatives  of  at  ieast  one  Qualified  Participant  monitor  the 
evaiuation  and  certification/vaiidation  of  a  an  IT  product \n  accordance  with  this  Arrangement. 

Sponsor  (of  a  CB): 

The  Participant  that  represents  the  interests  of  a  compliant  CB  (or  candidate  compliant  CB)  and 
authorises  its  Common  Criteria  certificates. 

System: 

A  specific  IT  installation,  with  a  particular  purpose  and  operational  requirement. 

Target  of  Evaluation: 

An  IT  product  and  its  associated  administrator  and  user  guidance  documentation  that  is  the 
subject  of  an  evaluation. 
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Annex  B 


Evaluation  and  Certification/Validation  Scheme 


B.1  The  Purpose  and  Principal  Characteristics  of  a  Scheme 

The  main  purpose  of  an  Evaluation  and  Certification/Validation  Scheme  (hereinafter  referred  to 
as  a  Scheme)  is  to  ensure,  through  the  systematic  organisation  and  management  of  the  functions 
of  evaluation  and  certification/validation,  that  high  standards  of  competence  and  impartiality  are 
maintained  and  that  consistency  is  achieved. 

To  this  end,  each  Scheme  is  managed  by  a  single  Certification/Validation  Body,  which  is 
responsible  not  only  for  the  certification/validation  of  evaluated  products  and  evaluated  protection 
profiles,  but,  equally  importantly,  for  other  functions  which  are  listed  in  section  B.2. 

The  overall  policy  of  a  Scheme  (including  its  Licensing  or  Approvai  Poiicy  -  see  below)  may  be 
set  either  by  the  Certification/Validation  Body  itself  or  by  a  Management  Board.  In  the  latter  case, 
the  Management  Board  has  ultimate  responsibility  for  the  operation  of  the  Scheme  in  accordance 
with  its  rules  and  policies  and,  where  appropriate,  for  the  interpretation  or  amendment  of  those 
rules  and  policies,  while  the  Certification/Validation  Body  manages  the  Scheme  and  applies  the 
rules  and  policies  in  accordance  with  the  policy  guidance  of  the  Management  Board.  In  either 
case,  it  is  very  important  to  ensure  that  mechanisms  are  in  place  to  ensure  that  the  interests  of  all 
parties  with  a  stake  in  evaluation  and  certification/validation  activities  are  given  an  appropriate 
weight  in  the  running  of  the  Scheme. 

The  existence  of  such  a  Scheme  is  of  crucial  importance  in  the  context  of  recognition.  For,  in 
conjunction  with  the  correct  and  consistent  application  of  common  evaluation  criteria  and 
evaluation  methods  it  offers  unique  grounds  for  confidence  that  all  ITSEFs  are  operating  to  the 
same  high  standards  and  thus  in  the  correctness  of  results  and  in  their  consistency  between  one 
ITSEF  and  another.  Such  confidence  is  indispensable  in  establishing  the  trust  on  which  any 
Recognition  Arrangement  is  necessarily  based. 

B.2  The  Role  and  Principal  Characteristics  of  the  CB 

The  CB  is  independent  of  the  ITSEFs,  and  staffed  by  appropriately  qualified  personnel. 

It  may  be  established  under  the  provisions  of  a  law,  subsidiary  legislation  or  other  official 
administrative  procedure  valid  in  the  country  concerned  or  it  may  be  accredited  by  an  appropriate 
Accreditation  Body.  In  both  cases,  it  is  to  meet  either  the  requirements  of  EN  4501 1  or  ISO  Guide 
65  or  the  requirements  as  specified  in  the  Annex  C  of  this  Arrangement. 

The  principal  functions  to  be  performed  by  the  Certification/Validation  Body  are: 

a)  to  authorise  the  participation  of  Evaluation  Facilities  in  the  Scheme  (see  further  below); 

b)  to  monitor  the  performance  of  participating  ITSEFs  and,  in  particular,  their  adherence  to, 
and  application  and  interpretation  of,  the  accepted  evaluation  criteria  and  evaluation 
methods; 

c)  to  see  to  it  that  procedures  are  in  place  within  the  Scheme  to  ensure  that  sensitive 
information  relating  to  products  and  protection  profiles  under  evaluation  and  to  the 
process  of  evaluation  itself  is  appropriately  handled  and  given  the  security  protection  it 
requires  and  that  those  procedures  are  routinely  followed  (see  further  below); 
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d)  to  issue  additional  guidance  to  ITSEFs  as  required; 

e)  to  monitor  all  evaluations  in  progress  within  the  Scheme  at  an  appropriate  level; 

f)  to  review  all  evaluation  reports  (including  especially  Evaluation  Technical  Reports)  to 
ensure  that  the  conclusions  are  consistent  with  the  evidence  adduced  and  that  the 
accepted  evaluation  criteria  and  evaluation  methods  have  been  correctly  applied; 

g)  to  produce  a  Certification/Validation  Report  in  respect  of  each  evaluation  completed 
under  the  auspices  of  the  Scheme; 

h)  to  publish  Common  Criteria  certificates  and  their  associated  Certification/Validation 
Reports; 

i)  to  publish  regularly  a  document  giving  brief  particulars  of  all  products  and  protection 
profiles  evaluated  within  the  Scheme  which  hold  a  currently  valid  Common  Criteria 
certificate  (Certified/Validated  Products  List); 

i)  to  document  the  organisation,  policy,  rules  and  procedures  of  the  Scheme,  to  make  that 
documentation  available  publicly  and  to  keep  it  up  to  date; 

k)  to  ensure  that  the  rules  of  the  Scheme  are  followed; 

l)  to  establish,  and  where  appropriate,  amend,  the  rules  and  policies  of  the  Scheme; 

m)  to  ensure  that  the  interests  of  all  parties  with  a  stake  in  the  Scheme's  activities  are  given 
appropriate  weight  in  the  running  of  the  Scheme. 

In  the  context  of  involvement  in  this  Arrangement,  the  Certification/Validation  Body  associated 
with  a  Qualified  Participant  is  also  responsible  for  providing  technical  support  to  activities  relating 
to  this  Arrangement  in  accordance  with  the  provisions  of  this  Arrangement. 

B.3  Accreditation  and  Licensing  of  Evaiuation  Faciiities 

Unless  an  Evaluation  Facility  has  been  established  under  a  law  or  statutory  instrument,  if  it  is  to 
participate  in  a  Scheme,  it  needs  to  fulfil  two  conditions: 

a)  be  accredited  by  an  Accreditation  Body  officially  recognised  in  the  country  concerned; 
and 

b)  be  licensed  or  otherwise  approved  by  the  CB  responsible  for  the  management  of  the 
Scheme. 

Accreditation  entails  the  Evaluation  Facility's  demonstrating  its  impartiality  and  its  general 
technical,  methodological  and  procedural  competence  and  in  particular  that  it  meets  the 
requirements  of  EN  45001  or  ISO  Guide  25  in  so  far  as  these  requirements  are  consistent  with 
the  peculiarities  of  the  domain  of  IT  security. 

The  Evaluation  Facility  also  has  to  demonstrate  to  the  satisfaction  of  the  CB  that  it  is  technically 
competent  in  the  specific  field  of  IT  security  evaluation  and  that  it  is  in  a  position  to  comply  in  full 
with  the  rules  of  the  Scheme  concerned.  This  includes  demonstrating  that  it  has  the  ability  to 
apply  the  applicable  evaluation  criteria  and  evaluation  methods  correctly  and  consistently  and 
that  it  meets  stringent  security  requirements  necessary  for  the  protection  of  sensitive  or  protected 
information  relating  to  IT  products  or  protection  profiles  under  evaluation  and  to  the  process  of 
evaluation  itself. 
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An  Evaluation  Facility  which  has  been  licensed  or  approved  to  carry  out  evaluations  within  a 
particular  Scheme  is  known  as  an  IT  Security  Evaluation  Facility  (ITSEF). 

The  licensing  or  approval  policy  for  each  Scheme  includes  details  of  security  and  training 
requirements  and  of  the  procedures  for  making  an  application  to  be  licensed  or  approved  and  for 
the  processing  of  such  applications. 
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Annex  C 


Requirements  for  CertificationA/alidation  Body 

C.1  General  Requirements 

The  services  of  the  CB  are  to  be  available  without  undue  financial  or  other  conditions.  The 
procedures  under  which  the  CB  operates  are  to  be  administered  in  a  non-discriminatory  manner. 

C.2  Administrative  Structure 

The  CB  is  to  be  impartial.  In  particular,  it  should  have  permanent  staff  responsible  to  a  senior 
executive  enabling  day-to-day  operations  to  be  carried  out  free  from  undue  influence  or  control  by 
anyone  having  a  commercial  or  financial  interest  in  the  certification/  validation. 

C.3  Organisational  Structure 

The  CB  is  to  have  and  make  available  on  request: 

a)  a  chart  showing  clearly  the  responsibility  and  reporting  structure  of  the  organisation; 

b)  a  description  of  the  means  by  which  the  organisation  obtains  financial  support; 

c)  documentation  describing  its  Evaluation  and  Certification/Validation  Scheme; 

d)  documentation  clearly  identifying  its  legal  status. 

C.4  Certification/Validation  Personnel 

The  personnel  of  the  CB  are  to  be  competent  for  the  functions  they  undertake. 

Information  on  the  relevant  qualifications,  training  and  experience  of  each  member  of  staff  is  to  be 
maintained  by  the  CB  and  kept  up-to-date. 

Personnel  are  to  have  available  to  them  clear,  up  to  date,  documented  instructions  pertaining  to 
their  duties  and  responsibilities. 

If  work  is  contracted  to  an  outside  body,  the  CB  is  to  ensure  that  the  personnel  carrying  out  the 
contracted  work  meet  the  applicable  requirements  of  this  Annex. 

C.5  Documentation  and  Change  Control 

The  CB  is  to  maintain  a  system  for  the  control  of  all  documentation  relating  to  its  Evaluation  and 
Certification/Validation  Scheme  and  ensure  that: 

a)  current  issues  of  the  appropriate  documentation  are  available  at  all  relevant  locations; 

b)  documents  are  not  amended  or  superseded  without  proper  authorisation; 

c)  changes  are  promulgated  in  such  way  that  those  who  need  to  know  are  promptly  informed 
and  are  in  a  position  to  take  prompt  and  effective  action; 

d)  superseded  documents  are  removed  from  use  throughout  the  organisation  and  its  agencies; 

e)  those  with  a  direct  interest  in  the  Scheme  are  informed  of  changes. 
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C.6  Records 


The  CB  is  to  maintain  a  record  system  to  suit  its  particuiar  circumstances  and  to  compiy  with 
reievant  reguiations  appiied  in  the  jurisdiction  to  which  the  Participant  is  subject.  The  system  is  to 
inciude  aii  records  and  other  papers  produced  in  connection  with  each  certification/vaiidation;  it  is 
to  be  sufficientiy  compiete  to  enabie  the  course  of  each  certification/vaiidation  to  be  traced.  Aii 
records  are  to  be  secureiy  and  accessibiy  stored  for  a  period  of  at  ieast  five  years. 

C.7  Certification/Validation  Procedures 

The  CB  is  to  have  the  required  faciiities  and  documented  procedures  to  enabie  the  IT  product  or 
protection  profiie  certification/vaiidation  to  be  carried  out  in  accordance  with  the  appiicabie  IT 
security  evaiuation  criteria  and  methods. 

C.8  Requirements  of  Evaluation  Facilities 

The  CB  is  to  ensure  that  IT  Security  Evaiuation  Faciiities  conform  to  requirements  specified  in  this 
Arrangement. 

The  CB  is  to  draw  up  for  each  IT  Security  Evaiuation  Faciiity  a  properiy  documented  agreement 
covering  aii  reievant  procedures  inciuding  arrangements  for  ensuring  confidentiaiity  of  protected 
information  and  the  evaiuation  and  certification/vaiidation  processes. 

C.9  Quality  Manual 

The  CB  is  to  have  a  Quaiity  Manuai  and  documentation  setting  out  the  procedures  by  which  it 
compiies  with  the  requirements  of  this  Annex.  These  are  to  inciude  at  ieast: 

a)  a  poiicy  statement  on  the  maintenance  of  quaiity; 

b)  a  brief  description  of  the  iegai  status  of  the  CB; 

c)  the  names,  quaiifications  and  duties  of  the  senior  executive  and  other  certification/  vaiidation 
personnei; 

d)  detaiis  of  training  arrangements  for  certification/vaiidation  personnei; 

e)  an  organisation  chart  showing  iines  of  authority,  responsibiiity  and  aiiocation  of  functions 
stemming  from  the  senior  executive; 

f)  detaiis  of  procedures  for  monitoring  IT  product  or  protection  profiie  evaiuations; 

g)  detaiis  of  procedures  for  preventing  the  abuse  of  Common  Criteria  certificates; 

h)  the  identities  of  any  contractors  and  detaiis  of  the  documented  procedures  for  assessing  and 
monitoring  their  competence; 

i)  detaiis  of  any  procedures  for  appeais  or  conciiiation. 

C.10  Confidentiality 

To  the  extent  permitted  by  the  nationai  iaws,  statutes,  executive  orders,  or  reguiations  of  the 
Participants,  the  CB  shouid  have  adequate  arrangements  to  ensure  confidentiaiity  of  the 
information  obtained  in  the  course  of  its  certification/vaiidation  activities  at  aii  ieveis  of  its 
organisation  and  is  not  to  make  an  unauthorised  disciosure  of  protected  information  obtained  in 
the  course  of  its  certification/vaiidation  activities  under  this  Arrangement. 
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C.11  Publications 


The  CB  is  to  produce  and  update  as  necessary  a  Certified/Validated  Products  List.  Each  IT 
product  or  protection  profiie  mentioned  in  the  iist  is  to  be  cieariy  identified.  The  iist  is  to  be 
avaiiabie  to  the  pubiic. 

A  description  of  the  Evaiuation  and  Certification/Vaiidation  Scheme  is  to  be  avaiiabie  in  pubiished 
form. 

C.12  Appeals  or  Conciliation 

The  CB  is  to  have  procedures  to  deai  with  disagreements  among  itseif,  its  associated  ITSEFs, 
and  their  clients. 

C.13  Periodic  Review 

The  CB  is  to  undertake  periodic  reviews  of  its  scheme  operations  to  ensure  that  it  continues  to 
share  the  objectives  of  this  Arrangement. 

C.14  Misuse  of  Common  Criteria  Certificates 

The  CB  is  to  exercise  proper  controi  over  the  use  of  its  Common  Criteria  certificates. 

It  is  incumbent  upon  the  CB  to  take  appropriate  administrative,  procedurai  or  iegai  steps  to 
prevent  or  counter  the  misuse  of  certificates  and  to  correct  faise,  misieading  or  improper 
statements  about  certificates  or  about  the  Evaiuation  and  Certification/Vaiidation  Scheme. 

C.15  Withdrawal  of  Common  Criteria  Certificates 

The  CB  is  to  have  documented  procedures  for  withdrawai  of  Common  Criteria  certificates  and  is 
to  advertise  the  withdrawai  in  the  next  issue  of  its  Certified/Vaiidated  Products  List. 
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Annex  D 


Voluntary  Periodic  Assessments 

The  Management  Committee  may  select  one  or  more  Qualified  Participants  (excluding  the  CB’s 
Sponsor)  to  carry  out  a  periodic  assessment  of  a  compliant  CB.  Assessments  may  not  be 
conducted  except  pursuant  to  the  written  consent  or  request  of  the  Sponsor,  and  such  consent 
may  be  withdrawn  or  revoked  prior  to  or  during  an  assessment.  The  Sponsor  is  expected  to 
represent  to  the  Management  Committee  any  concerns  the  CB  may  have  about  the  choice  of  the 
assessment  team.  Assessments  should  be  performed  as  described  below,  and  in  accordance 
with  guidance  issued  by  the  Management  Committee  that  will  ensure  that  assessments  are 
performed  to  a  uniform  standard  and  involve  a  predictable  commitment  of  resources. 

The  Participant  or  Participants  performing  the  assessment  may  make  nominations  for  a  primary 
assessment  team  to  consist  of  two  qualified  experts  acceptable  to  the  Management  Committee. 
Any  Participant  may  provide  an  additional  expert  at  its  own  expense.  The  costs  of  providing 
primary  assessment  teams  for  associated  CBs  should  be  distributed  among  the  Qualified 
Participants  in  an  equitable  manner,  to  be  agreed  by  the  Executive  Subcommittee.  If  the  CB 
under  assessment  is  not  an  associated  CB,  it  should  meet  all  the  costs  of  the  primary 
assessment  team  arising  out  of  the  assessment  (including  the  travel,  accommodation, 
subsistence  costs,  and  salaries^). 

The  CB  undergoing  the  periodic  assessment  should  within  one  month  provide  the  complete 
scheme  documentation  applicable  at  the  time.  The  experts  review  the  documentation  to  assure 
that  the  CBs  continue  to  share  the  objectives  of  this  Arrangement,  and  report  their  findings  to  the 
Management  Committee. 

A  shadow  certification/validation  should  be  performed  on  a  suitable  IT  product  at  Common 
Criteria  Evaluation  Assurance  Level  3  or  4  as  agreed  upon  by  the  Participants  directly  involved 
and  a  non-disclosure  agreement  should  be  signed  between  them. 

The  experts  should  satisfy  themselves  that  the  CB  undergoing  the  periodic  assessment  is  acting 
consistently  in  respect  of  all  aspects  of  the  evaluation  and  certification/validation  processes.  In 
carrying  out  this  responsibility,  the  experts  may  wish  to  take  part  in  some  aspects  of  the 
certification/validation  process.  The  CB  undergoing  the  assessment  should  facilitate  this. 

The  experts  are  also  to  check  the  application  of  the  procedures  to  ensure  the  confidentiality  of 
protected  information  described  in  this  Arrangement,  particularly  in  Annexes  B  and  C  to  this 
Arrangement. 

At  appropriate  stages  of  the  evaluation  and  certification/validation,  the  following  documentation 
should  be  provided  for  checking  by  experts: 

a)  the  Security  Target; 

b)  the  Evaluation  Technical  Report; 

c)  any  written  comments  on  the  above  documents  made  by  the  Certification/  Validation  Body; 

d)  the  Certification/Validation  Report. 

Qther  evaluation  reports  should  be  provided  on  request  in  accordance  with  guidance  issued  by 
the  Management  Committee. 


^  This  may  be  waived  if  the  Qualified  Participant  carrying  out  the  assessment  is  prohibited  by  national  law  or  regulation 
from  receiving  such  payment. 
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All  documentation  referred  to  above  should  be  made  available  In  English  or  In  another  language 
acceptable  to  the  experts.  Evaluation  reports  should  be  translated  only  If  necessary.  Participants 
who  have  consented  to  an  assessment  should  find  and  Implement  a  solution  to  any  problem  of 
language  which  Is  acceptable  to  the  experts. 

The  experts  report  their  findings  to  the  Management  Committee,  and  make  a  recommendation  on 
the  assessment.  The  Management  Committee  reviews  the  report  of  the  shadow 
certiflers/valldators.  Once  the  Management  Committee  Is  satisfied  that  the  report  Is  Internally 
consistent  and  that  the  conclusion  follows  from  the  evidence,  the  result  Is  delivered  to  the 
Certificatlon/Valldatlon  Body  undergoing  the  assessment.  The  CB  being  assessed  should 
demonstrate  that  It  has  rectified  any  shortcomings  Identified  In  the  assessment  within  a  maximum 
of  six  months. 
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Annex  E 


Certificate  and  Service  Marks 


Every  Common  Criteria  certificate  issued  under  the  terms  of  this  Arrangement  is  to  bear  the  mark 
shown  beiow: 


This  mark  confirms  that  the  Common  Criteria  certificate  has  been  authorised  by  a  Participant  to 
this  Arrangement  and  it  is  the  Participant's  statement  that  the  certificate  has  been  issued  in 
accordance  with  the  terms  of  this  Arrangement. 

Upon  receipt  of  a  Common  Criteria  certificate,  the  mark  may  be  used  by  vendors  in  conjunction 
with  advertising,  marketing,  and  saies  of  the  product  for  which  the  certificate  is  issued.  A 
Participant  in  this  Arrangement  is  not  to  use  the  mark  to  promote  the  goods  or  services  of  the 
Participant. 

The  service  mark  of  this  Recognition  Arrangement  is  shown  beiow: 


^Common  Criteria 

<s> 


This  service  mark  is  to  be  used  to  identify,  advertise,  and  market  services  which  are  performed  by 
a  Participant  (or  compiiant  CBs)  in  conjunction  with  this  Arrangement. 

After  termination  of  participation  in  this  Arrangement,  the  terminating  Participant  is  not  to  use  the 
service  mark. 
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Annex  F 


Information  to  be  Provided  to  Participants 


F.1  Scheme  Documentation 

Each  compliant  CB  is  to  make  available  to  the  Participants  copies  of  the  documents  covering  the 
following  aspects  of  the  Evaluation  and  Certification/Validation  Scheme  for  which  it  is  responsible: 

a)  the  national  set  of  rules  and  regulations  for  evaluation  and  certification/validation  in 
accordance  with  mutually  agreed  IT  security  evaluation  criteria  and  methods; 

b)  the  organisational  structure  of  the  Scheme; 

c)  the  Certification/Validation  Body  Quality  Manual; 

d)  accreditation  or  licensing/approval  policy; 

e)  the  titles  and  addresses  of  the  ITSEFs  associated  with  the  Scheme  and  their  status  (e.g., 
governmental  or  commercial); 

f)  (if  applicable)  the  national  interpretation  of  EN  45001  or  ISO  guide  25. 

On  each  occasion  that  changes  are  made  to  these  documents,  or  new  versions  issued,  copies  of 
the  amendments  or  the  new  version  are  promptly  to  be  made  available  to  all  Participants. 

F.2  Common  Criteria  Certificates  and  Certification/Vaiidation  Reports 

Each  Participant  is  to  provide  to  each  of  the  other  Participants  a  copy  of  each  Common  Criteria 
certificate,  Certification/Validation  Report  and  Certified/Validated  Products  List  it  authorises. 
Whenever  a  compliant  CB  omits  or  removes  an  IT  product  or  protection  profile  from  its 
Certified/Validated  Products  List,  such  CB  should  promptly  notify  the  Participants. 

F.3  Generai  information  Affecting  the  Terms  of  this  Arrangement 

Each  Participant  is  to  provide  a  statement  about  the  effects  of  all  national  laws,  subsidiary 
legislation,  administrative  regulations  and  official  obligations  applying  in  the  country  concerned 
and  directly  affecting  the  recognition  of  Common  Criteria  certificates. 

Each  Participant  should  promptly  draw  to  the  attention  of  the  Management  Committee  any 
changes  or  prospective  changes  to: 

a)  national  laws,  administrative  regulations  or  official  obligations;  or 

b)  the  operation  or  procedures  of  its  Evaluation  and  Certification/Validation  Scheme(s) 

which  may  affect  the  ability  of  that  Participant  to  act  consistently  with  the  terms  of  this 
Arrangement. 

F.4  Confidentiality  Rules 

Some  of  the  procedures  under  this  Arrangement  may  on  occasion  require  the  exchange  of 
protected  information,  the  unauthorised  disclosure  of  which  would  cause  actual  damage  to  the 
Participants,  parties  associated  with  the  Participants,  or  parties  involved  in  this  Arrangement, 
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including  but  not  limited  to  IT  product  manufacturers.  It  is  important  that  this  information  is 
appropriately  handled  and  that  procedures  are  defined  to  ensure  that  such  protection  is  achieved. 

A  document  may  be  in  paper  (hard  copy)  or  in  electronic  form. 

Documents  which  contain  protected  information  are  to  be  identified  by  a  special  marking  "RA  in 
Confidence".  The  originating  party  should  apply  this  special  marking. 

Each  Participant  will  endeavour  to  enforce  the  protection  rules  which  follow  and  to  establish  a 
system  to  apply  them. 

F.4.1  Creation  and  management  of  protected  information 

Every  document  which  contains  protected  information  is  to  bear  a  brief,  but  clear  indication  of  the 
identity  of  the  originator  and  the  date  of  issue.  It  is  also  to  have  an  identifier  to  make  it  unique 
(e.g.  a  one-up  serial  number).  If  the  document  is  modified,  then  its  identifier  is  also  to  be  modified, 
at  least  to  the  extent  of  a  version  number  and  the  date  of  issue. 

A  document  remains  protected  either  for  the  period  stated  on  the  document  or,  in  the  absence  of 
a  specific  statement,  until  the  originating  party  no  longer  claims  protection  for  the  protected 
document. 

F.4.2  Procedures  for  handling  protected  information 
Marking  of  protected  information 

Paper  copies  of  documents  which  contain  protected  information  are  to  bear  on  each  page  the 
words  "RA  in  Confidence"  and  the  unique  identifier.  The  period  of  protectability  may  be  shown  on 
the  first  page. 

Removable  magnetic  media  for  computers  which  contain  protected  information,  are  at  a 
minimum,  to  have  a  label  bearing  the  words  "RA  in  Confidence"  and  a  unique  identifier.  A  listing 
on  paper  of  the  content  should  be  attached  to  the  magnetic  medium  whenever  it  is  transported 
from  one  Participant  to  another. 

Storage  and  rules  for  safeguarding  protected  information 

Storage  and  safeguarding  rules  are  applicable  to  documents  containing  protected  information, 
including  draft  versions. 

When  protected  information  is  processed  or  stored  on  a  computer,  it  should  be  appropriately 
safeguarded.  Any  removable  magnetic  medium  on  which  protected  information  is  stored  should 
be  safeguarded  as  though  it  were  a  document  containing  the  same  information. 

Transmission  of  protected  information 

Documents  containing  protected  information  which  are  to  be  sent  through  the  mail,  are  to  be 
enclosed  in  an  inner  and  outer  envelope  system.  The  outer  envelope  should  bear  the  address  of 
the  person  nominated  by  the  receiving  Participant  as  a  point  of  contact  for  RA  correspondence. 
The  inner  envelope(s)  should  contain  the  protected  information,  and  bear  the  words  "RA  in 
Confidence"  together  with  the  name  of  the  intended  recipient. 

In  case  of  electronic  transmission  of  protected  information,  transmission  should  be  done  using 
secure  electronic  means. 
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Copying  of  protected  information 

Protected  information  may  be  copied  by  a  recipient  oniy  when  this  can  be  cieariy  justified  on 
operationai  grounds. 

Disposai  of  removabie  magnetic  media  and  protected  information 

When  no  ionger  required,  removabie  magnetic  media  containing  protected  information  shouid  be 
disposed  of  in  a  secure  manner,  and  this  action  recorded  in  an  appropriate  register. 

Protected  information  shouid  be  thoroughiy  erased  from  magnetic  media  prior  to  disposai. 

Access  to  protected  information 

Uniess  otherwise  agreed  with  the  originator,  and  to  the  extent  permitted  by  iaw,  access  to 
protected  information  received  by  a  Participant  is  to  be  restricted  to  staff  who  are  directiy 
empioyed  by  the  Participant  or,  at  the  discretion  of  the  head  of  the  Participant’s  organisation,  to 
government  officiais  with  a  need  to  know.  The  duty  to  keep  protected  information  confidentiai  is 
expected  to  survive  this  Arrangement. 

F.4.3  Additional  degree  of  protection 

Occasionaiiy,  the  information  may  require  an  even  higher  degree  of  protection.  This  is  to  be 
determined  on  a  case-by-case  basis. 
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Annex  G 


New  Compliant  Certification/Validation  Bodies 

G.1  Formal  Request 

If  a  CB  wishes  to  achieve  the  status  of  compiiant  CB  under  this  Arrangement  and  beiieves  that  it 
fuifiis  the  conditions  iaid  down  in  Articie  5  and  the  Annexes  cited  in  Articie  5,  it  shouid  submit  an 
appiication  in  writing  through  the  Participant  in  its  country.  (Note,  the  CB  and  the  Participant  may 
be  one  and  the  same  organisation.)  If  the  Participant  supports  the  appiication,  it  becomes  the 
Sponsor  of  the  CB,  and  it  shouid  forward  the  appiication  to  the  Management  Committee.  The 
forwarded  appiication  wiii  not  be  considered  a  formai  endorsement  by  the  Sponsor  of  the 
capabiiity  of  the  appiicant  to  meet  the  conditions  iaid  down  in  this  Arrangement. 

The  appiication  is  to  inciude  a  written  statement  that  the  appiicant  wishes  to  be  determined  as 
compiiant  under  this  Arrangement  and  pians: 

a)  to  meet  aii  costs  of  the  primary  assessment  team  (See  G.3  beiow)  arising  out  of  the 
appiication  or  out  of  considering  and  processing  that  appiication  (inciuding  the  travei, 
accommodation  and  subsistence  costs,  and  -  if  and  oniy  if  the  appiicant  is  not  appiying  to 
become  the  associated  CB  of  its  Sponsor  -  aiso  inciuding  the  saiary  costs  of  the  primary 
assessment  team^)  whether  or  not  the  appiication  is  successfui; 

b)  to  provide  the  documentation  detaiied  beiow;  and 

c)  to  submit  for  shadow  certification/vaiidation  by  representatives  of  one  or  more  of  the 
Participants  a  suitabie  product  which  is  to  be  evaiuated  and  certified/vaiidated  under  the 
appiicant's  oversight. 

G.2  Documentation  to  be  Provided 

Aii  documentation  and  information  acquired  during  the  compiiance  process  is  to  be  treated  in 
accordance  with  the  provisions  of  Annex  F.4.  These  confidentiaiity  ruies  may  be  suppiemented  by 
means  of  non-disciosure  agreement(s). 

The  foiiowing  documentation  is  to  be  provided: 

a)  a  fuii  description  of  the  scope,  organisation  and  operation  of  the  appiicant's  Evaiuation  and 
Certification/Vaiidation  Scheme,  inciuding: 

-  the  titie,  address  and  principai  point  of  contact  of  the  CB; 

-  the  CB  Quaiity  Manuai; 

-  the  subordination  of  the  CB  and  the  statutory  or  other  basis  of  its  authority; 

-  the  system  for  overseeing  the  generai  management  of  the  Scheme,  for  deciding  questions 
of  poiicy  and  for  settiing  disagreements; 

-  the  procedures  for  certification/vaiidation; 

-  the  tities  and  addresses  of  the  ITSEF  participating  in  the  Scheme  and  their  status 
(commerciai  or  governmentai); 


^  This  may  be  waived  if  the  Qualified  Participant  carrying  out  the  assessment  is  prohibited  by  national  law  or  regulation 
from  receiving  such  payment. 
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-  the  licensing/approval  policy  and  the  procedures  for  accrediting  Evaluation  Facilities; 

-  the  rules  applying  within  the  Scheme  to  the  protection  of  commercial  secrets  and  other 
sensitive  information; 

-  the  procedures  by  which  the  CB  ensures  that  ITSEFs: 

-  perform  evaluations  impartially; 

-  apply  the  mutually  agreed  IT  criteria  and  methods  correctly  and  consistently;  and 

-  protect  the  confidentiality  of  sensitive  information  involved. 

b)  the  latest  issue  of  the  Scheme's  Certified/Validated  Products  List; 

c)  two  or  more  Common  Criteria  certificates  and  Certification/Validation  Reports  issued  under 
the  oversight  of  the  applicant; 

d)  a  statement  about  the  effects  of  all  national  laws,  subsidiary  legislation,  administrative 
regulations  and  official  obligations  applying  in  the  country  of  the  applicant  and  directly 
affecting  the  conduct  of  evaluations  and  certifications/validations  or  the  recognition  of 
Common  Criteria  certificates;  and 

e)  a  statement  that  the  applicant  is  not  bound  by  or  about  to  be  bound  by  any  law,  subsidiary 
legislation  or  official  administrative  order  which  would  give  it  or  the  IT  products  and  protection 
profiles  to  which  it  awards  Common  Criteria  certificates  an  unfair  advantage  under  this 
Arrangement  or  which  would  otherwise  frustrate  the  operation  or  intention  of  this 
Arrangement. 

G.3  Management  Committee's  Response 

The  Management  Committee  is  to  acknowledge  the  application  within  three  weeks  of  its  receipt 
and  make  a  preliminary  response  to  it  within  a  target  of  three  months.  The  preliminary  response 
should  indicate  the  acceptability  of  the  application  assuming  that  technical  examination  of  the 
documentation  and  the  shadow  certification^alidation  are  successful. 

When  the  Management  Committee  concurs  that  the  information  supplied  by  the  applicant  is 
satisfactory  and  that  no  clarification  or  supplementary  information  is  required,  the  applicant  will  be 
asked  to  nominate  as  candidates  for  shadow  certification/validation  at  least  two  products  for 
which  a  Common  Criteria  Evaluation  Assurance  Level  3  or  4  is  claimed. 

The  applicant  should  supply  an  outline  summary  of  each  product  and  details  of  the  arrangements 
for  its  evaluation  and  certification/validation.  The  Management  Committee  is,  within  a  target  of 
one  month  of  receipt  of  the  nomination,  to  select  one  of  the  products  for  shadow 
certification/validation  and  to  notify  the  applicant  accordingly. 

The  Management  Committee  is  to  select  one  or  more  Qualified  Participants  (other  than  the 
Sponsor)  to  carry  out  the  shadow  certification/validation.  The  Participant  or  Participants  selected 
are  to  make  nominations  for  a  primary  assessment  team  to  consist  of  two  experts.  Any 
Participant  (including  the  Sponsor)  may  provide  an  additional  expert  at  its  own  expense.  The 
Management  Committee  is  to  inform  the  applicant  of  the  names  and  parent  organisations  of  the 
experts. 
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G.4  Shadow  Certification/Validation  Procedure 


It  is  for  the  experts  to  decide,  based  on  guidance  issued  by  the  Management  Committee  (that  wiii 
ensure  that  assessments  are  performed  to  a  uniform  standard)  and  in  the  iight  of  aii  the 
information  avaiiabie  to  them,  how  much  of  the  evaiuation  and  certification/vaiidation  process 
they  need  to  shadow.  The  Management  Committee  guidance  wiii  be  made  avaiiabie  to  the 
appiicant  CB  to  permit  an  estimate  of  the  resources  required  by  the  assessment. 

The  experts  are  to  report  their  findings  in  writing  to  the  Management  Committee  within  one  month 
of  the  compietion  of  their  investigation  and  no  iater  than  one  month  from  the  compietion  of  the 
evaiuation  and  certification/vaiidation  process  on  the  seiected  product,  together  with  a 
recommendation  on  whether  the  candidate's  appiication  shouid  be  accepted  or  rejected.  The 
Management  Committee  is  to  convey  its  decision  to  the  appiicant  in  writing  within  a  target  of  two 
months  foiiowing  receipt  of  the  experts'  report.  In  the  case  of  rejection,  the  Committee  shouid 
provide  a  summary  of  the  reasons  for  the  decision  and  of  the  principai  evidence  on  which  it  is 
based.  In  the  case  of  acceptance,  the  Committee  shouid  record  the  decision  by  updating  Annex  K 
accordingiy. 
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Annex  H 


Administration  of  the  Arrangement 


H.1  Responsibilities  and  Competence 

The  Management  Committee  acts  in  any  matters  of  poiicy  reiating  to  the  status,  terms  and 
operation  of  this  Arrangement.  It  decides  on  the  admittance  of  new  Participants,  the  compiiance 
of  new  CBs,  and  changes  to  the  scope  of  the  Arrangement. 

H.2  Composition 

Aii  Participants  are  to  be  represented  on  the  Management  Committee.  The  Chairman  of  the 
Management  Committee  is  to  be  appointed  by  the  Management  Committee  from  among  the 
Participants  to  serve  for  a  period  of  not  more  than  one  year.  Each  of  the  Participants  is  to  chair  in 
succession.  The  current  chair  shouid  provide  for  administrative  support  to  the  Management 
Committee. 

H.3  Decisions 

Each  country  represented  on  the  Management  Committee  is  to  have  one  vote.  Decisions  are  to 
be  reached  by  simpie  majority,  except  in  those  cases  where  a  specific  requirement  is  iaid  down 
eisewhere  in  this  Arrangement  for  unanimity. 

H.4  Attendance 

The  Management  Committee  may  invite  experts  or  technicai  advisers  to  attend  meetings  of  the 
Management  Committee  to  advise  on  specific  issues. 

H.5  Use  of  Experts 

The  Management  Committee  may  estabiish  ad-hoc  groups  of  experts  to  provide  support  and 
advice  as  required. 

H.6  Frequency  of  Meetings 

The  Management  Committee  wiii  meet  in  pienary  yeariy,  or  as  it  deems  fit.  Where  practicai,  it  wiii 
take  decisions  by  e-maii. 

H.7  Executive  Subcommittee 

The  Management  Committee  shouid  estabiish  an  Executive  Subcommittee  to  manage  the  day-to- 
day  business  of  the  Arrangement  Group  and  provide  technicai  advice  and  recommendations  to 
the  Management  Committee. 

The  Executive  Subcommittee  shouid  consist  of  Quaiified  Participants  and  additionai  discretionary 
Participants  up  to  a  numericai  iimit  determined  by  the  Management  Committee. 

The  business  of  the  Executive  Subcommittee  inciudes: 

a)  deveioping  and  recommending  procedures  for  the  conduct  of  the  business  of  the 
Arrangement  Group; 

b)  assessing  the  technicai  compiiance  of  new  CBs; 
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c)  recommending  revisions  of  this  Arrangement; 

d)  managing  the  continuous  monitoring  activities; 

e)  resoiving  technicai  disagreements  about  the  terms  and  appiication  of  this  Arrangement; 

f)  managing  the  deveiopment  of  IT  security  evaiuation  criteria  and  IT  security  evaiuation 
methods; 

g)  managing  the  maintenance  of  historicai  databases  as  to  the  background  to  interpretations 
and  any  resuitant  decisions  that  couid  affect  future  versions  of  either  the  criteria  or 
methodoiogy. 
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Annex  I 


Contents  of  Certification/Validation  Reports 


1.1  Certification/Validation  Report  and  Its  Use 

The  Evaluation  Technical  Report  (ETR)  is  written  by  the  Evaluation  Facility  for  the  Certification/ 
Validation  Body  and  serves  as  the  principal  basis  for  the  Certification/Validation  Report.  The 
objective  of  the  ETR  is  to  present  all  verdicts,  their  justifications  and  any  findings  derived  from  the 
work  performed  during  the  evaluation,  including  errors  found  during  the  development  of  the  IT 
product  or  protection  profile  and  any  exploitable  vulnerabilities  discovered  during  the  evaluation. 
The  ETR  may  contain  protected  information  as  necessary  to  justify  evaluation  results. 

The  Certification/Validation  Report  is  the  source  of  detailed  security  information  about  the  IT 
product  or  protection  profile  for  any  interested  parties.  Its  objective  is  to  provide  practical 
information  about  the  IT  product  or  protection  profile  to  consumers.  The  Certification/Validation 
Report  need  not,  nor  should  contain  protected  information  since,  like  the  Security  Target,  it 
contains  information  for  the  consumer  necessary  to  securely  deploy  the  evaluated  IT  product. 

1.2  Executive  Summary 

The  executive  summary  is  a  brief  summary  of  the  entire  report.  The  information  contained  within 
this  section  should  provide  the  audience  with  a  clear  and  concise  overview  of  the  evaluation 
results.  The  audience  for  this  section  could  include  developers,  consumers  and  evaluators  of 
secure  IT  systems  and  products.  It  may  be  that  the  reader  will  be  able  to  gain  a  basic  familiarity 
with  the  IT  product  or  the  protection  profile  and  the  report  results  through  the  executive  summary. 
Some  clients,  (e.g.  accreditors,  management)  may  only  read  this  section  of  the  report,  therefore, 
it  is  important  that  all  key  evaluation  findings  be  included  in  this  section.  An  executive  summary 
should  contain,  but  is  not  limited  to  the  following  items: 

a)  Name  of  the  evaluated  IT  product,  enumeration  of  the  components  of  the  product  that  are 
part  of  the  evaluation,  developer's  name,  and  version; 

b)  Name  of  IT  security  evaluation  facility; 

c)  Completion  date  of  evaluation;  and 

d)  Brief  description  of  the  report  results: 

assurance  package; 
functionality; 

summary  of  threats  and  Organisational  Security  Policies  (OSPs)  addressed  by  the 

evaluated  IT  product; 

special  configuration  requirements; 

assumptions  about  the  operating  environment; 

disclaimers. 

1.3  Identification 

The  evaluated  IT  product  has  to  be  clearly  identified.  The  software  version  number,  any 
applicable  software  patches,  hardware  version  number,  and  peripheral  devices  (e.g.  tape  drives, 
printers,  etc.)  must  be  identified  and  recorded.  This  provides  the  labeling  and  descriptive 
information  necessary  to  completely  identify  the  evaluated  IT  product.  Complete  identification  of 
the  evaluated  IT  product  will  ensure  that  a  whole  and  accurate  representation  of  the  IT  product 
can  be  recreated  for  use  or  for  future  evaluation  efforts. 
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1.4  Security  Policy 


The  security  policy  section  should  contain  the  description  of  the  IT  product's  security  policy.  The 
security  policy  describes  the  IT  product  as  a  collection  of  security  services.  The  security  policy 
description  contains  the  policies  or  rules  that  the  evaluated  IT  product  must  comply  with  and/or 
enforce. 

1.5  Assumptions  and  Clarification  of  Scope 

The  security  aspects  of  the  environment/configuration  in  which  the  IT  product  is  expected  to  be 
used  in  should  be  included  in  this  section.  The  section  provides  a  means  to  articulate  the 
clarification  of  the  scope  of  the  evaluation  with  respect  to  threats  that  are  not  countered.  Users 
can  make  informed  decisions  about  the  risks  associated  with  using  the  IT  product.  Usage, 
environmental  assumptions,  and  clarification  of  the  scope  of  the  evaluation  with  respect  to  threats 
that  are  not  countered  should  be  stated  in  this  section. 

1.5.1  Usage  assumptions 

In  order  to  provide  a  baseline  for  the  product  during  the  evaluation  effort  certain  assumptions 
about  the  usage  of  the  IT  product  have  to  be  made.  Items  such  as  proper  installation  and 
configuration,  minimum  hardware  requirements  being  satisfied,  etc.,  all  have  to  be  assumed.  This 
section  documents  any  usage  assumptions  made  about  the  IT  product  during  the  evaluation. 

1.5.2  Environmental  assumptions 

In  order  to  provide  a  baseline  for  the  IT  product  during  the  evaluation  effort  certain  assumptions 
about  the  environment  the  product  is  to  be  used  in  has  to  be  made.  This  section  documents  any 
environmental  assumptions  made  about  the  IT  product  during  the  evaluation. 

1.5.3  Clarification  of  scope 

This  section  lists  and  describes  threats  to  the  IT  product  that  are  not  countered  by  the  evaluated 
security  functions  of  the  product.  It  may  occur  that  some  clients  will  assume  that  some  threats  are 
being  met  by  the  IT  product  but  in  fact  they  are  not.  It  is  for  these  reasons  that  these  uncountered 
threats  should  be  listed  for  clarification.  It  would  however,  be  impractical  to  list  all  possible  threats 
that  cannot  be  countered  by  an  individual  product. 

1.6  Architectural  Information 

This  section  provides  a  high  level  description  of  the  IT  product  and  its  major  components  based 
on  the  deliverables  described  in  the  Common  Criteria  assurance  family  entitled  Development- 
High  Level  Design  (ADV_HLD).  The  intent  of  the  section  is  to  characterise  the  degree  of 
architectural  separation  of  the  major  components. 

1.7  Documentation 

A  complete  listing  of  the  IT  product  documentation  provided  with  the  product  by  the  developer  to 
the  consumer  is  listed  in  this  section.  It  is  important  that  all  relevant  documentation  be  noted  with 
the  version  numbers.  The  documentation  at  a  minimum  describes  the  user,  administration  and 
installation  guides.  It  may  occur  that  the  administration  and  installation  guide  information  is 
contained  in  a  single  document. 
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1.8  IT  Product  Testing 

This  section  describes  both  the  deveioper  and  evaiuator  testing  effort,  outiining  the  testing 
approach,  configuration,  depth,  and  resuits. 

1.9  Evaluated  Configuration 

This  section  documents  the  configuration  of  the  IT  product  during  the  evaiuation.  Typicaiiy,  the 
administrator  or  instaiiation  guide  wiii  provide  the  necessary  detaiis  for  the  correct  configuration  of 
the  IT  product.  The  IT  product  may  be  configurable  in  a  number  of  different  ways  depending  on 
the  environment  it  is  used  in  or  the  security  policies  of  the  organisation  that  it  enforces. 

The  precise  settings  and  configuration  details  with  accompanying  rationale  for  these  choices  is 
outlined  in  this  section.  Any  additional  operational  notes  and  observations  can  also  be  included. 
This  section  is  of  particular  importance,  as  it  provides  a  baseline  for  the  evaluated  product 
installation. 

1.10  Results  of  the  Evaluation 

This  section  documents  the  assurance  requirements  that  the  IT  product  satisfies.  A  detailed 
description  of  these  requirements,  as  well  as  the  details  of  how  the  product  meets  each  of  them 
can  be  found  in  the  Security  Target. 

1. 11  Evaluator  Comments/Recommendations 

This  section  is  used  to  impart  additional  information  about  the  evaluation  results.  These 
comments/  recommendations  can  take  the  form  of  shortcomings  of  the  IT  product  discovered 
during  the  evaluation  or  mention  of  features  which  are  particularly  useful. 

1.12  Annexes 

The  Annexes  are  used  to  outline  any  additional  information  that  may  be  useful  to  the  audience  of 
the  report  but  does  not  logically  fit  within  the  prescribed  headings  of  the  report  (e.g.  complete 
description  of  security  policy). 

1.13  Security  Target 

The  Security  Target  must  be  included  with  the  Certification/Validation  Report.  However,  it  should 
be  sanitised  by  the  removal  or  paraphrase  of  proprietary  technical  information. 

1.14  Glossary 

The  Glossary  is  used  to  increase  the  readability  of  the  report  by  providing  definitions  of  acronyms 
or  terms  of  which  the  meanings  may  not  be  readily  apparent. 

1.15  Bibliography 

The  Bibliography  section  lists  all  referenced  documentation  used  as  source  material  in  the 
compilation  of  the  report.  This  information  can  include  but  is  not  limited  to: 

a)  criteria,  methodology,  program  scheme  documentation; 

b)  technical  reference  documentation;  and 

c)  developer  documentation  used  in  the  evaluation  effort. 
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It  is  critical  for  the  sake  of  reproducibility  that  all  developer  documentation  is  uniquely  identified 
with  the  proper  release  date,  and  proper  version  numbers. 
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Annex J 


Common  Criteria  Certificates 


The  following  information  is  provided  for  inclusion  on  all  Common  Criteria  certificates  issued  on 
behalf  of  Participants  to  this  Recognition  Arrangement. 

J.1  Common  Criteria  Certificates  Associated  with  iT  Product  Evaiuations 

A  Common  Criteria  certificate  authorised  by  a  Participant  resulting  from  the  certification/validation 
of  an  IT  product  evaluation  is  to  include  the  following  information: 

a)  Product  Manufacturer; 

b)  Product  Name; 

c)  Type  of  Product; 

d)  Version  and  Release  Numbers; 

e)  Protection  Profile  Conformance  (if  applicable); 

f)  Evaluation  Platform  (optional); 

g)  Name  of  IT  Security  Evaluation  Facility  (optional); 

h)  Name  of  Certification/Validation  Body; 

i)  Certification/Validation  Report  Identifier;'^ 

j)  Date  Issued;  and 

k)  Assurance  Package.® 

The  certificate  is  also  to  include  the  following  statements: 

The  IT  product  identified  in  this  certificate  has  been  evaluated  [insert  at  an  accredited  and 
licensed/approved  evaluation  facility  or  at  an  evaluation  facility  established  under  the  laws, 
statutory  instruments,  or  other  official  administrative  procedures  of  [insert  name  of  Participant's 
country]]  using  the  Common  Methodology  for  IT  Security  Evaluation,  [insert  version  number],  for 
conformance  to  the  Common  Criteria  for  IT  Security  Evaluation,  [insert  version  number].  This 
certificate  applies  only  to  the  specific  version  and  release  of  the  product  in  its  evaluated 
configuration  and  in  conjunction  with  the  complete  Certification/Validation  report.  The  evaluation 
has  been  conducted  in  accordance  with  the  provisions  of  the  [insert  format  name  of  scheme]  and 
the  conclusions  of  the  evaluation  facility  in  the  evaluation  technical  report  are  consistent  with  the 
evidence  adduced.  This  certificate  is  not  an  endorsement  of  the  IT  product  by  the  [insert  name  of 
Participant]  or  by  any  other  organisation  that  recognises  or  gives  effect  to  this  certificate,  and  no 


“  The  Certification/Validation  report  identifier  should  uniquely  identify  the  document.  It  should  include,  as  a  minimum,  the 
Certification/Validation  Body  name,  the  evaluation  criteria  used,  the  report  number,  and  year  of  issue. 

^  The  assurance  package  confirmed  should  distinguish  between  Common  Criteria  Evaluation  Assurance  Level  Part  3 
conformant  and  Common  Criteria  Evaluation  Assurance  Level  Part  3  augmented.  Augmentation  should  be  designated  by 
a  plus,  (e.g.,  EAL  3  +). 
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warranty  of  the  IT  product  by  [insert  name  of  Participant]  or  by  any  other  organisation  that 
recognises  or  gives  effect  to  this  certificate,  is  either  expressed  or  impiied. 

In  addition  to  the  information  iisted,  the  mark  referenced  in  Annex  E  shouid  be  piaced  on  each  IT 
product-related  Common  Criteria  certificate  authorised  by  the  Participants. 

J.2  Common  Criteria  Certificates  Associated  with  Protection  Profiie  Evaiuations 

A  Common  Criteria  certificate  authorised  by  a  Participant  resulting  from  the  certification/validation 
of  a  protection  profile  evaluation  is  to  include  the  following  information: 

a)  Protection  Profile  Developer; 

b)  Protection  Profile  Name/Identifier; 

c)  Version  Number; 

d)  Name  of  IT  Security  Evaluation  Facility  (optional); 

e)  Name  of  Certification/Validation  Body; 

f)  Certification/Validation  Report  Number; 

g)  Date  Issued;  and 

h)  Assurance  Package.® 

The  certificate  is  also  to  include  the  following  statements: 

The  protection  profile  identified  in  this  certificate  has  been  evaluated  [insert  at  an  accredited  and 
licensed/approved  evaluation  facility  or  at  an  evaluation  facility  established  under  the  laws, 
statutory  instruments,  or  other  official  administrative  procedures  of  [insert  name  of  Participant's 
country]]  using  the  Common  Methodology  for  IT  Security  Evaluation  [insert  version  number]  for 
conformance  to  the  Common  Criteria  for  IT  Security  Evaluation  [insert  version  number].  This 
certificate  applies  only  to  the  specific  version  of  the  protection  profile  listed  in  this  certificate  and 
in  conjunction  with  the  complete  Certification/Validation  report.  The  evaluation  has  been 
conducted  in  accordance  with  the  provisions  of  the  [insert  format  name  of  scheme]  and  the 
conclusions  of  the  evaluation  facility  in  the  evaluation  technical  report  are  consistent  with  the 
evidence  adduced.  This  certificate  is  not  an  endorsement  of  the  protection  profile  by  the  [insert 
name  of  Participant]  or  by  any  other  organisation  that  recognises  or  gives  effect  to  this  certificate, 
and  no  warranty  of  the  profile  by  [insert  name  of  Participant]  or  by  any  other  organisation  that 
recognises  or  gives  effect  to  this  certificate,  is  either  expressed  or  implied.  In  addition  to  the 
information  listed,  the  mark  referenced  in  Annex  E  should  be  placed  on  each  protection  profile- 
related  Common  Criteria  certificate  authorised  by  the  Participants. 


®  The  assurance  package  confirmed  should  distinguish  between  Common  Criteria  Evaluation  Assurance  Level  Part  3 
conformant  and  Common  Criteria  Evaluation  Assurance  Level  Part  3  augmented. 
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Annex  K 


Compliant  CBs 


Australasian  Information  Security  Evaluation  Programme 

sponsored  by 

Defence  Signals  Directorate  and  Government  Communication  Security  Bureau, 
from  Australia  and  New  Zealand 

Canadian  Common  Criteria  Evaluation  and  Certification  Scheme 

sponsored  by 

Communications  Security  Establishment, 
from  Canada 

Schema  d’Evaluation  et  Certification  Francais 

sponsored  by 

Service  Central  de  la  Securite  des  Systemes  d'Information, 
from  France 

Bundesamt  fur  Sicherheit  in  der  Informationstechnik 
(Zertifizierungsstelle) 

sponsored  by 

Bundesamt  fur  Sicherheit  in  der  Informationstechnik, 
from  Germany 

UK  IT  Security  Evaluation  and  Certification  Scheme 

sponsored  by 

Communications-Electronics  Security  Group  and  Department  of  Trade  and 
Industry, 

from  the  United  Kingdom 

National  Information  Assurance  Partnership  Common  Criteria 
Evaluation  and  Validation  Scheme 

sponsored  by 

National  Institute  of  Standards  and  Technology,  and  National  Security  Agency, 
from  the  United  States  of  America 
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